rhsa-2014_0895
Vulnerability from csaf_redhat
Published
2014-07-16 17:12
Modified
2024-11-22 08:26
Summary
Red Hat Security Advisory: Red Hat JBoss Data Grid 6.3.0 update
Notes
Topic
Red Hat JBoss Data Grid 6.3.0, which fixes multiple security issues,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
Details
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.
This release of Red Hat JBoss Data Grid 6.3.0 serves as a replacement for
Red Hat JBoss Data Grid 6.2.1. It includes various bug fixes and
enhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0
Release Notes. The Release Notes will be available shortly from
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/
This update also fixes the following security issues:
It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)
It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a JBoss Web server
located behind a reverse proxy that processed the content length header
correctly. (CVE-2014-0099)
It was found that the security audit functionality, provided by Red Hat
JBoss Data Grid, logged request parameters in plain text. This may have
caused passwords to be included in the audit log files when using BASIC or
FORM-based authentication. A local attacker with access to audit log files
could possibly use this flaw to obtain application or server authentication
credentials. Refer to the Solution section of this advisory for additional
information on the fix for this issue. (CVE-2014-0058)
It was found that the security auditing functionality provided by PicketBox
and JBossSX, both security frameworks for Java applications, used a
world-readable audit.log file to record sensitive information. A local user
could possibly use this flaw to gain access to the sensitive information in
the audit.log file. (CVE-2014-0059)
It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External Entities
(XXEs) in provided XSLTs. A malicious application could use this to
circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)
It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. (CVE-2014-0119)
The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.
All users of Red Hat JBoss Data Grid 6.2.1 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.3.0.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat JBoss Data Grid 6.3.0, which fixes multiple security issues,\nvarious bugs, and adds enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on\nInfinispan.\n\nThis release of Red Hat JBoss Data Grid 6.3.0 serves as a replacement for\nRed Hat JBoss Data Grid 6.2.1. It includes various bug fixes and\nenhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0\nRelease Notes. The Release Notes will be available shortly from\nhttps://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/\n\nThis update also fixes the following security issues:\n\nIt was discovered that JBoss Web did not limit the length of chunk sizes\nwhen using chunked transfer encoding. A remote attacker could use this flaw\nto perform a denial of service attack against JBoss Web by streaming an\nunlimited quantity of data, leading to excessive consumption of server\nresources. (CVE-2014-0075)\n\nIt was found that JBoss Web did not check for overflowing values when\nparsing request content length headers. A remote attacker could use this\nflaw to perform an HTTP request smuggling attack on a JBoss Web server\nlocated behind a reverse proxy that processed the content length header\ncorrectly. (CVE-2014-0099)\n\nIt was found that the security audit functionality, provided by Red Hat\nJBoss Data Grid, logged request parameters in plain text. This may have\ncaused passwords to be included in the audit log files when using BASIC or\nFORM-based authentication. A local attacker with access to audit log files\ncould possibly use this flaw to obtain application or server authentication\ncredentials. Refer to the Solution section of this advisory for additional\ninformation on the fix for this issue. (CVE-2014-0058)\n\nIt was found that the security auditing functionality provided by PicketBox\nand JBossSX, both security frameworks for Java applications, used a\nworld-readable audit.log file to record sensitive information. A local user\ncould possibly use this flaw to gain access to the sensitive information in\nthe audit.log file. (CVE-2014-0059)\n\nIt was found that the org.apache.catalina.servlets.DefaultServlet\nimplementation in JBoss Web allowed the definition of XML External Entities\n(XXEs) in provided XSLTs. A malicious application could use this to\ncircumvent intended security restrictions to disclose sensitive\ninformation. (CVE-2014-0096)\n\nIt was found that, in certain circumstances, it was possible for a\nmalicious web application to replace the XML parsers used by JBoss Web to\nprocess XSLTs for the default servlet, JSP documents, tag library\ndescriptors (TLDs), and tag plug-in configuration files. The injected XML\nparser(s) could then bypass the limits imposed on XML external entities\nand/or gain access to the XML files processed for other web applications\ndeployed on the same JBoss Web instance. (CVE-2014-0119)\n\nThe CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product\nSecurity.\n\nAll users of Red Hat JBoss Data Grid 6.2.1 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.3.0.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2014:0895", "url": "https://access.redhat.com/errata/RHSA-2014:0895" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/", "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/" }, { "category": "external", "summary": "1063641", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641" }, { "category": "external", "summary": "1063642", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063642" }, { "category": "external", "summary": "1072776", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072776" }, { "category": "external", "summary": "1088342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1088342" }, { "category": "external", "summary": "1102030", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102030" }, { "category": "external", "summary": "1102038", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102038" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0895.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Grid 6.3.0 update", "tracking": { "current_release_date": "2024-11-22T08:26:20+00:00", "generator": { "date": "2024-11-22T08:26:20+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2014:0895", "initial_release_date": "2014-07-16T17:12:23+00:00", "revision_history": [ { "date": "2014-07-16T17:12:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2019-02-20T12:35:29+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T08:26:20+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Grid 6.3", "product": { "name": "Red Hat JBoss Data Grid 6.3", "product_id": "Red Hat JBoss Data Grid 6.3", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:6.3.0" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Grid" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2014-0058", "discovery_date": "2014-02-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1063641" } ], "notes": [ { "category": "description", "text": "It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.", "title": "Vulnerability description" }, { "category": "summary", "text": "EAP6: Plain text password logging during security audit", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Grid 6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0058" }, { "category": "external", "summary": "RHBZ#1063641", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0058", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0058" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058" } ], "release_date": "2014-02-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-07-16T17:12:23+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.", "product_ids": [ "Red Hat JBoss Data Grid 6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0895" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "Red Hat JBoss Data Grid 6.3" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "EAP6: Plain text password logging during security audit" }, { "cve": "CVE-2014-0059", "cwe": { "id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" }, "discovery_date": "2014-02-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1063642" } ], "notes": [ { "category": "description", "text": "It was found that the security auditing functionality provided by PicketBox and JBossSX, both security frameworks for Java applications, used a world-readable audit.log file to record sensitive information. A local user could possibly use this flaw to gain access to the sensitive information in the audit.log file.", "title": "Vulnerability description" }, { "category": "summary", "text": "JBossSX/PicketBox: World readable audit.log file", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Grid 6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0059" }, { "category": "external", "summary": "RHBZ#1063642", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063642" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0059", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0059" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0059", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0059" } ], "release_date": "2014-05-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-07-16T17:12:23+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.", "product_ids": [ "Red Hat JBoss Data Grid 6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0895" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "Red Hat JBoss Data Grid 6.3" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "JBossSX/PicketBox: World readable audit.log file" }, { "acknowledgments": [ { "names": [ "David Jorm" ], "organization": "Red Hat Product Security", "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2014-0075", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2014-02-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1072776" } ], "notes": [ { "category": "description", "text": "It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources.", "title": "Vulnerability description" }, { "category": "summary", "text": "Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Moderate security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Grid 6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0075" }, { "category": "external", "summary": "RHBZ#1072776", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072776" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0075", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0075" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0075", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0075" } ], "release_date": "2014-05-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-07-16T17:12:23+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.", "product_ids": [ "Red Hat JBoss Data Grid 6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0895" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, "products": [ "Red Hat JBoss Data Grid 6.3" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter" }, { "cve": "CVE-2014-0096", "cwe": { "id": "CWE-611", "name": "Improper Restriction of XML External Entity Reference" }, "discovery_date": "2014-04-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1088342" } ], "notes": [ { "category": "description", "text": "It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information.", "title": "Vulnerability description" }, { "category": "summary", "text": "Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Low security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Grid 6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0096" }, { "category": "external", "summary": "RHBZ#1088342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1088342" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0096", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0096" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0096", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0096" } ], "release_date": "2014-05-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-07-16T17:12:23+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.", "product_ids": [ "Red Hat JBoss Data Grid 6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0895" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0" }, "products": [ "Red Hat JBoss Data Grid 6.3" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs" }, { "cve": "CVE-2014-0099", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2014-05-27T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1102030" } ], "notes": [ { "category": "description", "text": "It was found that JBoss Web / Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web / Apache Tomcat server located behind a reverse proxy that processed the content length header correctly.", "title": "Vulnerability description" }, { "category": "summary", "text": "Tomcat/JBossWeb: Request smuggling via malicious content length header", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue does affect JBossWeb as shipped in Red Hat JBoss Enterprise Application Platform 5. Red Hat Product Security has rated this issue as having Moderate security impact. Red Hat JBoss Enterprise Application Platform 5 is currently in reduced support phase (Phase 2: Maintenance Support), receiving only Critical and Important security updates, hence this issue is not currently planned to be addressed in future updates for Red Hat Enterprise Application Platform 5. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ and the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Grid 6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0099" }, { "category": "external", "summary": "RHBZ#1102030", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102030" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0099", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0099" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0099", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0099" } ], "release_date": "2014-05-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-07-16T17:12:23+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.", "product_ids": [ "Red Hat JBoss Data Grid 6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0895" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0" }, "products": [ "Red Hat JBoss Data Grid 6.3" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Tomcat/JBossWeb: Request smuggling via malicious content length header" }, { "cve": "CVE-2014-0119", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2014-05-27T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1102038" } ], "notes": [ { "category": "description", "text": "It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same JBoss Web / Apache Tomcat instance.", "title": "Vulnerability description" }, { "category": "summary", "text": "Tomcat/JBossWeb: XML parser hijack by malicious web application", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Grid 6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0119" }, { "category": "external", "summary": "RHBZ#1102038", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102038" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0119", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0119" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0119", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0119" } ], "release_date": "2014-05-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-07-16T17:12:23+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.", "product_ids": [ "Red Hat JBoss Data Grid 6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0895" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0" }, "products": [ "Red Hat JBoss Data Grid 6.3" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Tomcat/JBossWeb: XML parser hijack by malicious web application" }, { "acknowledgments": [ { "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2014-3481", "cwe": { "id": "CWE-611", "name": "Improper Restriction of XML External Entity Reference" }, "discovery_date": "2014-06-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1105242" } ], "notes": [ { "category": "description", "text": "It was found that the default context parameters as provided to RESTEasy deployments by JBoss EAP did not explicitly disable external entity expansion for RESTEasy. A remote attacker could use this flaw to perform XML External Entity (XXE) attacks on RESTEasy applications accepting XML input.", "title": "Vulnerability description" }, { "category": "summary", "text": "JAX-RS: Information disclosure via XML eXternal Entity (XXE)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Grid 6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-3481" }, { "category": "external", "summary": "RHBZ#1105242", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1105242" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3481", "url": "https://www.cve.org/CVERecord?id=CVE-2014-3481" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3481", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3481" } ], "release_date": "2014-06-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-07-16T17:12:23+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Data Grid installation.\n\nThe provided patch to fix CVE-2014-0058 also allows greater control over\nwhich of the following components of web requests are captured in audit\nlogs:\n\n- parameters\n- cookies\n- headers\n- attributes\n\nIt is also possible to selectively mask some elements of headers,\nparameters, cookies, and attributes using masks. This capability is\nprovided by two system properties, which are introduced by this patch:\n\n1) org.jboss.security.web.audit\n\nDescription:\nThis property controls the granularity of the security auditing of web\nrequests.\n\nPossible values:\noff = Disables auditing of web requests\nheaders = Audits only the headers of web requests\ncookies = Audits only the cookies of web requests\nparameters = Audits only the parameters of web requests\nattributes = Audits only the attributes of web requests\nheaders,cookies,parameters = Audits the headers, cookies, and parameters of\nweb requests\nheaders,cookies = Audits the headers and cookies of web requests\n\nDefault Value:\nheaders, parameters\n\nExamples:\nSetting \"org.jboss.security.web.audit=off\" disables security auditing of\nweb requests entirely.\nSetting \"org.jboss.security.web.audit=headers\" enables security auditing of\nonly headers in web requests.\n\n2) org.jboss.security.web.audit.mask\n\nDescription:\nThis property can be used to specify a list of strings to be matched\nagainst headers, parameters, cookies, and attributes of web requests.\nAny element matching the specified masks will be excluded from security\naudit logging.\n\nPossible values:\nAny comma separated string indicating keys of headers, parameters, cookies,\nand attributes.\n\nDefault Value:\nj_password, authorization\n\nNote that currently the matching of the masks is fuzzy rather than strict.\nFor example, a mask of \"authorization\" will mask both the header called\nauthorization and the parameter called \"custom_authorization\". A future\nrelease may introduce strict masks.", "product_ids": [ "Red Hat JBoss Data Grid 6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0895" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "Red Hat JBoss Data Grid 6.3" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "JAX-RS: Information disclosure via XML eXternal Entity (XXE)" } ] }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.